The Anatomy of an Exploit

I’m a huge fan of security. I spend many a weekend experimenting with new encryption techniques, hash algorithms, and security protocols.

As a result, I also come across several different server exploits in the wild. PHP hacks, .htaccess hacks, JavaScript injection, etc. I once even saw a server hacked through a corrupt PNG image that installed a PHP console when it was loaded.

To a new developer, is is all pretty scary stuff. Here’s an example of an exploit I came across last week – and how to both prevent and recover from it.

The Exploit

A friend alerted the world via Twitter to an odd issue posted in the WordPress forums. A specific site was being redirected to a Russian website, but only if you visited with a mobile device.

I loaded the website both on my desktop and Android phone to see the difference – sure enough, the page loaded fine on the PC and the phone got Russian spam.

Next, I turned to Fiddler to see what else I could diagnose.

With a desktop user agent, everything came across the wire just fine. Substituting a mobile user agent string – or any string containing the words “Android” or “iPhone” yielded somewhat different results:

There is now a coded block of JavaScript injected above the opening <!DOCTYPE html> tag. When decoded, this script writes a new script tag to the browser. This script tag loads a remote URL that forces a redirect from the site you’re on to a site of the hacker’s choosing.

I followed up with my results in the forums, and mentioned them on Twitter. That’s when Sucuri Security joined the conversation and confirmed this is a known malware bug.

How To Fix It

Most known bugs also have known fixes – in this case, the exploit was a poorly secured .htaccess file that loads the extra script based on the user agent passed in the request. Flushing the file is usually enough to remove it.

But that’s never enough for me.

Once an attacker has access to your system, they’ll likely install more than one back door. Yes, .htaccess is obviously corrupt. But there might be code lurking in a random PHP or JavaScript file on the server, just waiting to re-infect your site.

Ideally, you’ll also remove all themes and plugins and reinstall them from clean sources as well. If you can’t, make sure you go through each line of every PHP file and make sure there isn’t anything hinky going on there. 1

Go through your entire /uploads directoy and make sure no rogue files or scripts are lying around

Restore your database from the most recent (clean) backup

If you don’t have a backup, get ready for a long night of going through data tables manually to be sure there isn’t anything hiding in the database

And really, why don’t you have an automated backup? Set one up now while you’re at it!

Ask another developer to double check your work to be sure you haven’t missed anything.

In a pinch, you can also hire the experts at Sucuri to clean things up for you. They know what they’re doing and have likely cleaned up this specific hack already.

Don’t Get Hacked in the First Place

There’s quite a bit you can do to harden your sitebefore it gets hacked. Here are just a few quick recommendations:

Share this:

Eric Mann is a writer, web developer, and outdoorsman living in the Pacific Northwest. If he's not working with new technologies in web development, you can probably find him out running, climbing, or hiking with his dog.